I separately emailed Martin this same question. He was kind enough to send me a link so sharing here.
The below link provides an example of using OpenSCAP to consume RedHat data on vulnerabilities in RedHat Linux.
http://www.open-scap.org/page/Documentation#How_to_run_vulnerability_scan_on...
This may seem terribly obvious to experienced Scappers, but it is only obvious once you see it. I know this because some colleagues some colleagues of mine need to do a "vulnerability scan" for a government client and were looking at Nessus because they thought OpenSCAP was just for checking configuration. It took me a bit, too, to make the connection.
Looking for more examples and documentation as this would be a useful thread for us newbies...
Greg Elin
On Sun, Mar 22, 2015 at 6:40 AM, Greg Elin gregelin@gitmachines.com wrote:
To date, I've used OpenSCAP to check the configuration of Unix operating systems against government baselines.
But I assume OpenSCAP can consume any SCAP content including daily CVE feeds? I have not tried that yet. And superficial searching did not reveal any obvious documentation.
Does anyone know of a good example that would get a person started with using OpenSCAP to consume CVE feeds? Any recommendations of freely available feeds?
Thanks!
Greg Elin